the clock time from the Internet with the possible
risk of allowing unsecured packets through the firewall. Many
NTP servers on the Internet do not require any authentication
of peers. Therefore, the network administrator must trust that
the clock itself is reliable, valid, and secure. NTP uses User
Datagram Protocol (UDP) port 123.
Content 5.8
Securing Management and Reporting Features 5.8.3
Configuring an SSH Server for Secure Management and
Reporting You should use SSH instead of Telnet to manage
your Cisco routers whenever possible. SSH version 1 (SSHv1) is
supported in Cisco IOS Release 12.1(1)T and later, while SSH
version 2 (SSHv2) is supported in Cisco IOS Release 12.3(4)T
and later. Cisco routers that are configured for SSH act as SSH
servers. You must provide an SSH client, such as PuTTY,
OpenSSH, or TeraTerm, for the administrator workstation that
you want to use to configure and manage routers using SSH.
Note
Cisco routers with Cisco IOS Releases 12.1(3)T
and later can act as SSH clients as well as SSH servers. This
means that you could initiate an SSH client-to-server session
from your router to a central SSH server system. SSH employs
strong encryption to protect the SSH client-to-server session.
Unlike Telnet, where anyone with a sniffer can see exactly what
you are sending and receiving from your routers, SSH encrypts
the entire session. Complete these tasks before configuring
your routers for SSH server operations: - Ensure that
the target routers are running a Cisco IOS Release 12.1(1)T
image or later with the IPsec feature set. Only Cisco IOS
software images containing the IPsec feature set support an SSH
server.
- Ensure that the target routers are configured
for local authentication.
- Ensure the AAA server is
configured for username and password authentication, or
both.
- Ensure that each of the target routers has a
unique hostname.
- Ensure that each of the target
routers is using the correct domain name of your network.
Complete these steps to configure your Cisco router to
support SSH server (see the sample configuration in Figure ):
Step 1 Configure the IP domain name of your network
using the ip domain-name command in global configuration
mode: Austin2(config)#ip domain-name cisco.com Step
2 Generate keys that will be used with SSH by generating
the Rivest, Shamir, and Adelman (RSA) keys using the crypto
key generate rsa command in global configuration mode:
Austin2(config)#crypto key generate rsa general-keys modulus
1024 Note
A minimum key length of modulus 1024
is recommended. Step 3 Optionally, to display the
generated keys, use the show crypto key mypubkey rsa
command in privileged EXEC mode. Step 4
Configure the time that the router waits for the SSH client to
respond using the ip ssh timeout command in global
configuration mode: Austin2(config)#ip ssh timeout 120
Step 5 Configure the permitted number of SSH retries
using the ip ssh authentication-retries command in global
configuration mode: Austin2(config)#ip ssh
authentication-retries 4 Caution
Be sure to
disable Telnet transport input on all of the router vty lines
or the router will continue to allow insecure Telnet sessions.
Step 6 Disable vty inbound Telnet sessions:
Austin2(config)#line vty 0 4
Austin2(config-line)#no transport input telnet Step
7 Enable vty inbound SSH sessions:
Austin2(config-line)#transport input ssh The SSH
protocol is automatically enabled once you generate the SSH
(RSA) keys, as shown in Figure . Once the keys are created, you
can access the router SSH server using your SSH client
software. The procedure for connecting to a Cisco router SSH
server varies depending on the SSH client application that you
are using. Generally, the SSH client passes your username to
the router SSH server. The router SSH server prompts you for
the correct password. Once the password has been verified, you
can configure and manage the router as if you were a standard
vty user.
Content 5.8 Securing Management and
Reporting Features 5.8.4 Using Syslog Logging
for Network Security Implementing a router logging facility
is an important part of any network security policy. Cisco
routers can log information regarding configuration changes,
ACL violations, interface status, and many other types of
events. Cisco routers can direct log messages to several
different facilities. You should configure the router to send
log messages to one or more of the following: -
Console: Console logging is used when modifying or
testing the router while the router is connected to the
console. Messages sent to the console are not stored by the
router, and are, therefore, not very valuable as security
events.
- Terminal lines: Enabled EXEC sessions
can be configured to receive log messages on any terminal
lines. Similar to console logging, this type of logging is not
stored by the router and is, therefore, only valuable to the
user on that line.
- Memory buffer: You may
direct a router to store log messages in router memory.
Buffered logging is slightly more useful than console login as
a security tool but has the drawback of having events cleared
whenever the router is booted.
- SNMP traps:
Certain router events may be processed by the router SNMP agent
and forwarded as SNMP traps to an external SNMP host. This is a
viable security logging facility but requires the configuration
and maintenance of an SNMP system.
- Syslog:
Cisco routers can be configured to forward log messages to an
external syslog service. This service can reside on any number
of servers, including Microsoft Windows and UNIX-based systems.
Syslog is the most popular message logging facility because
Syslog provides long-term log storage capabilities and a
central location for all router messages.
Figure
summarizes these points. Syslog Systems
Syslog is a
standard for logging system events. As shown in Figure , syslog
implementations contain two types of systems: -
Syslog servers: These systems, also known as log hosts,
accept and process log messages from syslog clients.
-
Syslog clients: Syslog clients are routers or other
types of Cisco equipment that generate and forward log messages
to syslog servers.
Note
Using router logs
can become very difficult if your router clocks are not running
the proper time. We recommend that you use an NTP facility to
ensure that all of your routers are operating at the correct
time. Cisco Log Severity Levels
Cisco router log
messages fall into one of eight levels as described in Figure
—the lower the level number, the higher the severity level.
Note
When you enter logging levels in commands in
Cisco IOS Release 11.3 and earlier, you must specify the level
name. Cisco IOS Release 12.0 and later support using the level
number or the level name, or both the number and the name.
Log Message Format
Cisco router log messages contain
three main parts: - Time stamp
- Log message
name and severity level
- Message text
Figure shows a syslog entry example for a level 5 syslog
message indicating that someone has configured the router from
the vty 0 port. Note
The log message name is not the
same as a severity level name.
Content 5.8
Securing Management and Reporting Features 5.8.5
Configuring Syslog Logging Figures through
show the five steps you take to implement syslog on your Cisco
routers: Step 1 Configure log hosts : You must
configure the router to send log messages to one or more syslog
servers (log hosts). There is no maximum number of log hosts
supported by Cisco routers, but usually only one or two hosts
are needed. Log hosts are identified by their host name or IP
address. Use the logging command in global configuration